feat: Post login Idp

Signed-off-by: Hoang Pham <[email protected]>
nextcloud · Jul 4, 2024 · 7551b07 · 7551b07
1 parent 1f0a05c
commit 7551b07
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 10 deletions.
diff --git a/js/admin.js b/js/admin.js
@@ -355,10 +355,12 @@ $(function() {
 			} else {
 				$(this).val("0");
 			}
+
 			if(key === 'require_provisioned_account') {
 				$('#user-saml-attribute-mapping').toggleClass('hidden');
 				$('#user-saml-filtering').toggleClass('hidden');
 			}
+
 			OCA.User_SAML.Admin.setSamlConfigValue('general', key, $(this).val(), true);
 		});
 	});

diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php
@@ -34,6 +34,8 @@
 use OneLogin\Saml2\Error;
 use OneLogin\Saml2\Settings;
 use OneLogin\Saml2\ValidationError;
+use Psr\Container\ContainerExceptionInterface;
+use Psr\Container\NotFoundExceptionInterface;
 use Psr\Log\LoggerInterface;
 
 class SAMLController extends Controller {
@@ -180,7 +182,7 @@ protected function assertGroupMemberships(): void {
 	 *
 	 * @throws Exception
 	 */
-	public function login(int $idp = 1) {
+	public function login(int $idp = 1): Http\RedirectResponse|Http\TemplateResponse {
 		$originalUrl = (string)$this->request->getParam('originalUrl', '');
 		if (!$this->trustedDomainHelper->isTrustedUrl($originalUrl)) {
 			$originalUrl = '';
@@ -194,7 +196,8 @@ public function login(int $idp = 1) {
 				$returnUrl = $originalUrl ?: $this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.login');
 				$ssoUrl = $auth->login($returnUrl, [], false, false, true);
 
-				$method = $this->request->getParam('method', 'get');
+				$settings = $this->samlSettings->get($idp);
+				$method = $settings['general-saml_request_method'] ?? 'get';
 				if ($method === 'post') {
 					$query = parse_url($ssoUrl, PHP_URL_QUERY);
 					parse_str($query, $params);
@@ -630,6 +633,11 @@ private function getIdps(string $redirectUrl): array {
 		return $result;
 	}
 
+	/**
+	 * @throws ContainerExceptionInterface
+	 * @throws NotFoundExceptionInterface
+	 * @throws \OCP\DB\Exception
+	 */
 	private function getSSOUrl(string $redirectUrl, string $idp): string {
 		$originalUrl = '';
 		if (!empty($redirectUrl)) {
@@ -639,17 +647,19 @@ private function getSSOUrl(string $redirectUrl, string $idp): string {
 		/** @var CsrfTokenManager $csrfTokenManager */
 		$csrfTokenManager = Server::get(CsrfTokenManager::class);
 		$csrfToken = $csrfTokenManager->getToken();
-		$ssoUrl = $this->urlGenerator->linkToRouteAbsolute(
+
+		$settings = $this->samlSettings->get((int)$idp);
+		$method = $settings['general-saml_request_method'] ?? 'get';
+
+		return $this->urlGenerator->linkToRouteAbsolute(
 			'user_saml.SAML.login',
 			[
 				'requesttoken' => $csrfToken->getEncryptedValue(),
 				'originalUrl' => $originalUrl,
 				'idp' => $idp,
-				'method' => 'post',
+				'method' => $method,
 			]
 		);
-
-		return $ssoUrl;
 	}
 
 	/**

diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php
@@ -26,6 +26,7 @@ class SAMLSettings {
 	public const IDP_CONFIG_KEYS = [
 		'general-idp0_display_name',
 		'general-uid_mapping',
+		'general-saml_request_method',
 		'idp-entityId',
 		'idp-singleLogoutService.responseUrl',
 		'idp-singleLogoutService.url',

diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
@@ -85,7 +85,7 @@ public function getForm() {
 				'text' => $this->l10n->t('Only allow authentication if an account exists on some other backend (e.g. LDAP).'),
 				'type' => 'checkbox',
 				'global' => true,
-			]
+			],
 		];
 		$attributeMappingSettings = [
 			'displayName_mapping' => [
@@ -199,6 +199,11 @@ public function getForm() {
 				'type' => 'line',
 				'required' => false,
 			];
+			$generalSettings['saml_request_method'] = [
+				'text' => $this->l10n->t('Use POST method for SAML request (default: GET)'),
+				'type' => 'checkbox',
+				'required' => false,
+			];
 			$generalSettings['allow_multiple_user_back_ends'] = [
 				'text' => $this->l10n->t('Allow the use of multiple user back-ends (e.g. LDAP)'),
 				'type' => 'checkbox',

diff --git a/templates/login_post.php b/templates/login_post.php
@@ -4,17 +4,26 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
-/** @var array $_ */
+/**
+ * @var array $_
+ * @var IL10N $l
+ *
+ */
+
+use OCP\IL10N;
+
+p($l->t('Please wait while you are redirected to the SSO server.'));
 ?>
-Please wait while you are redirected to the SSO server.
 
 <form action="<?= $_['ssoUrl'] ?>" method="post">
 	<input type="hidden" name="SAMLRequest" value="<?= $_['samlRequest'] ?>" />
 	<input type="hidden" name="RelayState" value="<?= $_['relayState'] ?>" />
 	<input type="hidden" name="SigAlg" value="<?= $_['sigAlg'] ?>" />
 	<input type="hidden" name="Signature" value="<?= $_['signature'] ?>" />
 	<noscript>
-		<p>JavaScript is disabled. Click the button below to continue.</p>
+		<p>
+			<?php p($l->t('Please wait while you are redirected to the SSO server.')); ?>
+		</p>
 		<input type="submit" value="Continue" />
 	</noscript>
 </form>